Lesson from the Anthem hack: Cybersecurity must extend beyond encryption

Last week's massive exposure at insurance giant Anthem of 80 million individuals' unencrypted records has shifted national attention to data encryption as a possible defense against hackers. But new revelations about the Anthem incident should prompt healthcare information technology administrators to be thinking beyond encryption when it comes to cybersecurity procedures.

Staffers who unwittingly give out or are careless with access information are often the weakest link in the cyber-defense plan at any healthcare organization.

Chinese hackers got into Anthem's network by snatching vital access data from at least one computer system administrator, according to Anthem, and possibly as many as five system administrators, according to an Associated Press report.

By obtaining a system administrator's credentials, hackers could have made encryption of data useless as a data shield, said Ken Westin, senior security analyst with Tripwire, a Portland, Ore.-based data security firm. “If I have administrator-level credentials, if I have those keys, I'm going to be able to decrypt that data pretty quickly,” he explained.

But that's not to say there is no role for encryption in an organization's data security armory. Of healthcare breaches involving more than 500 individuals' records since September 2009, 52% of the incidents were attributed to theft, 8% to loss of storage media, such as a laptop computer or thumb drive, and 4% to improper disposal, all potentially addressed by encryption, according to a list maintained by the Office for Civil Rights at HHS.

In the provisions on healthcare data breaches in the 2009 American Recovery and Reinvestment Act and subsequent rule-making, providers are given a safe harbor from the law's breach notification provisions if the data that's stolen, lost or misplaced has been encrypted to the specifications of the National Institute of Standards and Technology.

“Encryption should be on the list” of counter-measures put in place to deter hacking, said Rich Mogull, founder and CEO of Securosis, a cybersecurity research firm.

But also, “hire a chief information security officer and put them in a position of power where they could actually affect the decisions made. To be honest, I've spoken to relatively few healthcare organizations that even have security professionals in positions where they can help organizations make decisions,” Mogull said.

A chief security officer can oversee staff training to combat what's known in hacker circles as social engineering—manipulating an employee to unwittingly give out a password or other access information to a data system, for example.

“The next step is to fund it,” Mogull said. “Organizations need to be spending at least 7% of their IT budgets to see any improvement.”

According to an industry survey released last year by the Healthcare Information and Management Systems Society, spending on security averaged about 3% of healthcare organizations' IT budgets, up slightly from an earlier survey.

“They also have to make security a priority in making their buying decisions” of products other than security systems, such as medical devices, Mogull said.